The website of global intelligence-analysing firm Stratfor remains offline - a week after hacktivists broke into its poorly secured systems and extracted passwords and credit card details.
Members of Anonymous claimed to have broken into the website and slurped 200GB of sensitive information on Christmas Eve. The hackers claim …

CSID - meh

"As a result, we have provided paid subscribers with identity protection coverage from CSID, a leading provider of global identity protection, at our expense for 12 months."

Well...

The offer was made using an email that actually looked like a phishing attempt (the link shown and the URL did not agree), and CSID weren't set up for the offer anyway, so many people found themselves looking at 404 or other errors when trying to access the site.

An e-mail sent to CSID's support address asking for assistance remains unanswered a week after being sent.

A support ticket submitted via CSID's own website resulted in a standardised reply to a completely different question - having asked how to subscribe to the offered services, I received information about how to recover the password I had not yet set. Less than impressive, but in the end I did manage to locate the right part of their site - which again didn't agree with the info provided by the e-mail invitation.

The 'cover' provided basically means that CSID will keep an eye open to see if ONE mail address, ONE phone number and up to FOUR credit card numbers per person are being bandied about on the Interwebs... which since I already know that the mail address and a credit card number were compromised doesn't really help me an awful lot to be honest, especially since the card's been cancelled as a precaution.

Oh and... CSID were almost certainly chosen not because of the standard of service provided, but because, like Stratfor, they are based in Austin, Texas - so their principals almost certainly know each other if they're both active in the local business community. Just saying.

Good Points

The CSID sop is just there to make it look like they are a half-way decent organisation, but as you say there doesnt seem much point in having a company monitor to see if your card details have been compromised AFTER they have been compromised.

"Security firms slammed Stratfor for making schoolboy errors, such as not encrypting its password database."

*Dr Pepper*

They want to be put out of business for stuff like that! Never mind the police investigating the hackers - investigate this lot and their shitty security! Doesn't the DPA have something to say about things like this?

Quite - I created a hobby website for a MMORPG clan with password auth about 10 years ago and encrypted the passwords (MD5, IIRC) before they hit the database as a matter of course, even though the data really wasn't that interesting or important. If someone forgot their password, an admin had to reset it. My guess is that they wanted to be able to email out people's forgotten passwords, which is convenient, but poor security.

My understanding is that passwords were hashed. It's credit card and other sensitive ID information that was not. md5 is useless for these things, because you need to be able to decrypt them for repeat billing and the like (otherwise it'd be safer not to store them at all)

Without knowing what hashing algorithm was used for the passwords, it's impossible to speak with confidence, but there's always a possibility of hash collisions -- you may have had the world's greatest password, but a weak hashing algorithm might result in a collision with "password"123.

Password hashing is not the issue

@John Riddoch: Hashing the passwords (which is not, by the way, "encrypting" them) is not the issue. Note the bit in the article about "analysis" showing that many of the passwords were weak and so could be brute-forced; if they were kept in plaintext, no analysis or brute-forcing would be necessary. Passwords were almost certainly hashed - ie, discarded after computing a verifier, which was likely a salted cryptographic hash.

The problem is that people choose weak passwords. (The real problem is that passwords are an abysmal authentication mechanism, but that's an argument for another time. Oh, and contra another post, collisions are not worth worrying about if a cryptographic hash is used. While MD5 has been broken for preimage collisions, the probability of an accidental collision is vanishingly small. And it's unlikely Strafor were using anything more collision-prone.) And when people choose weak passwords, their hashes can be brute-forced with reasonable effort.

So you want to prevent attackers from getting password hashes in the first place. And one way to do that is to encrypt the hash store (which might be a file, a database table, etc). When the server starts, an administrator supplies it with the encryption key, and it decrypts the hash store or individual hashes in memory. Now the server can use the hashes to verify passwords, but someone who grabs the hash store can't extract the hashes unless they also get hold of the encryption key. Often those are separate problems - a vulnerability lets an attacker read arbitrary files from the server's filesystem, say, but not grab the encryption key from the server's memory.

As you may have realised, my collision comment was in response to the comment about Gerhard Mack's password being wrong, and even then I qualified it with a lack of confidence in my inference.

As for encrypting the has store -- that's all well and good, until it turns out that your hash store is a database table, and the front end to that database is vulnerable to sql injection. No idea if that had anything to do with how they got the password and billing details, but since stratfor got almost everything else wrong, it wouldn't surprise me if simple script kiddie stuff played a big part.

Just keep locking up Anonymous players

The point being

@AC

How is this an Emperor's new clothes story? Surely this is another Anonymous manage to hack someone who has poor security story? This still doesn't make what they're doing right, or justifiable though. Their current MO seems to be finding a target with poor security, then making up a story to justify what they've done.

@Steve Knox

Note the large "citation needed" next to that line in the Wikipedia entry. It's there because the line actually very wrong.

Stratfor is not a security company it's a private intelligence service that keeps it's subscribers up to date on world events and their likely outcomes. While there is the odd video about physical security those videos aren't the majority and aren't the primary reason for the site. I have also never seen Stratfor claim to know anything about IT security.

The System is a bit slow to realise that it is no longer in sole executive administrative control and therefore is absolute power lost and rapidly diminishing as currency is drained away to other power units ........ and SMART Power Units and growing SMARTer at a prodigious rate to boot, for a triple whammy of novel innovative change to renegade hopes.

"Two things are infinite: the universe and human stupidity; and I'm not even sure about the universe."~~ Albert Einstein (1879-1955)

Use credit cards to

Bah!

Why wasn't ALL the data encrypted, for Azathoth's sake?

Nyarlathotep on a bike! How hard is it to understand that there is an endless supply of hackers out there and that therefore any publicly available data sink will be breached eventually so make sure all they get is pure gibberish?

CryptoWorld (typo fixed)

Why wasnt it all encrypted?

Because, in simple terms, the cheap way of doing this makes it too hard to use the data and companies are too tight fisted to protect things when it costs others to fix it.

If they were fined $100 per record breach, it would suddenly become massively cost effective for them to protect the data. (Better still, if each individual record owner could sue them for $100 it would be fairer).

The problem at the moment is that while the data has some value to the company (Stratfor here), having it compromised doesnt really present a scalable cost that they can envisage upfront. It is all hypothetical costs about reputational damage and the costs of remediation work (if any).

This means that businesses frequently make the cost-driven decision to neglect security, taking a risk with other people's data in the belief that if it does go wrong they can just PR their way out of it while the customers are left sorting out the issues.

Oddly it frequently works out this way (have Sony seen a reduction in sales?) and until the customers change, the businesses wont even consider it.